Disable firewall on GL-MT3000 router

Hi there,

I have a situation where I'm building a mobile robot in a restrictive wifi network situation:

  • The mobile robot consists of several low-power computers communicating on the wifi network A created by the GL-MT3000 router.
  • The GL-MT3000 router is connected to a restrictive company wifi network B.
  • Other high-power computers remain stationary and connected to network B.

The GL-MT3000 router is able to connect to the internet and I can ssh into all machines in networks A and B.

However, I cannot communicate by Flask (http) and ROS 2 discovery server through the GL-MT3000 router likely due to firewall issues.

To verify this I would like to disable the firewall entirely.
Can someone please explain how to do this?

Checked out the "LuCl Advanced Settings" but did not figure it out.

P.S. Tried to put the router into "Extender" network mode, but this does not work with the company router (req. HTML login etc.).

I think the fastest way is deleting the zone of the interface like here in luci -> network -> firewall:

please note my zone is maybe different just remember the one you have :slight_smile:

if that does not work then you may need to adjust these to accept aswell:

image

and also make sure to look into the dhcp options in luci, there are some options which also may prevent you connecting like rebind protection, or other options.

you can also completely shutdown the firewall:

under System -> Startup but often I recommend to first try without zone :wink:

Thanks for the prompt response xize11 :slightly_smiling_face:

I tried to delete the zones and shutdown the firewall.
Both actions resulted in loss of internet access. Turning on the firewall immediately restored internet.

Any idea about what's up?

Th firewall rules are not only to block network traffic, it is to steer all network traffic. So shut down the firewall will shit down all interconnect between the different net. This may will work if every device is in one subnet, so no routing is needed.

If I understand your issue, the robot is on LAN and should be reachable on all ports from WAN. In that case I would tey to put the robot in DMZ: Port Forwarding - GL.iNet Router Docs 4 ... This is a 'special port forwarding', in which all traffic to the router on WAN goes to the configured device in LAN.

This still could lead to non routed traffic, because it is still NAT.
If this doesn't work, could you provide a table or picture with the involved IPs and connections? Plus which exactly is not routed/working?

1 Like

I agree what @LupusE says here, stopping the firewall might be too much also for the internal scripts by gl-inet, but you can also set everything on wan to accept, that should be enough to still allow wan routing.

Thanks for the suggestions LupusE

Too bad there seem to be no simple "allow all traffic" option.

I attached a figure showing the network set up. I can communicate between machines connected directly to the company router, as well as between machines connected to the GL-MT3000 router. The problem is communication between these two groups.

If the GL-MT3000 router did not block the ROS 2 communication traffic, then the router should be able to properly route traffic to each machine in the GL-MT3000 network, no?

About DMZ. If I had only one machine in the GL-MT3000 network I suppose this might be a potential solution. In the case of multiple machines, the assigned DMZ machine would not automatically route communication to the other machines, right?

1 Like

But this is how Networks work. This won't change because you don't like this.

Yes, you are right, the DMZ works only for one target.

But in your picture I don't see which is 'the server'. There should be one server and one client. If the Server is in 192.20.137.0/24, the clients in 192.168.8.0/24 should reach. But the 'server' in 192.20.137.0/24 can't 'publish themself' in in the 192.168.8.0/24 network. The clients needs to know how to contact ...

This is all valid for 'Network - Network Mode': Router.
You can change the setting to 'Extender'. I haven't used this, but in general it should disable the local DHCP, and transparent add all devices connect to LAN and/or WLAN to the WAN network, without routing/NAT.

See: Network Mode - GL.iNet Router Docs 4

1 Like

Glad to see that I am not the only one who is unsuccessfully trying to disable the firewall :cry:

Please post here the solution :pray:

If you disable the firewall, you also disable routing. So the router is useless.
The firewall also contains the forwarding rules from WAN to LAN.

The WAN side has one IP. You need the firewall rule for routing to answer requests from LAN to WAN and route them back.
If you delete every reject and drop rule 'to disable the firewall' as you requested, all packets will be received by the routers WAN port. And now? What should it do?

Maybe you don't want a router, you just want a switch.

Solution: With GL.iNet devices you could put every device to the (W)LAN side. Ignore the WAN port... No firewall at all.

1 Like

ok :+1:

can you please explain this :thinking:

I would like, for example, open the webcam session without using port forwarding:

This is still not possible.

Ask your ISP for an IP block, use a router that is able to handle IP blocks, an you can use your IP cam without port forwarding.
This is so far from what we are doing here.

You are a small private consumer. I'm our world you could be lucky if you even get a public IP and not something like CGNAT...

If you use NAT, to have internet to more than one endpoint behind one ISP line, you need port forwarding.
I don't know what we are discussing here. I think I tried to explain how it works. I don't get what is the issue with using a system (network) how it is designed.
Who told you port forwarding is bad? What do you want to archive?

What I am explaining is just IPv4 related.

Thanks for the picture. Now I can see it. I don't like GUI browsing on the road.
We are talking about internal LAN. But the issue is the same, but only there is no ISP involved.

At first: Why to you split 192.178.178.1 and 189.168.8.1?
You could simple set your router as extender. It will get a 192.168.178.0/24 address via DHCP from the main router, and all devices as well. No translation, no firewall.
Read Network Mode - GL.iNet Router Docs 4 ... I think the mode 'extender' should be named 'bridge', too. But I understand how GL.iNet tries to make a difference from LAN-bridging to WLAN extender in the UI.

You could, on your main router, set a static route for 192.168.8.0/24 via 192.168.178.nnn (WAN IP of the MT3000). If you try to reach 192.168.8.100 (for example as IP of the webcam), the PC asks the gateway 192.168.178.1 this will lookup its static routing table 192.168.8.0/24 -> and sends the request to 192.168.8.1 which sends it to the destination.
I am not sure if the MT3000 needs further settings to accept requests from WAN ...

For your Picture: It seems 'Gateway' is the wrong wording, if you want to describe the IP for the MT3000.

First: thank you very much for your time :+1:

Second: the picture shows the static route 192.168.8.0 from the Fritz main router to the 192.168.8.76 MT3000 router;

Third: from the pc I can ping the router 192.168.8.1, but not the webcam 192.168.8.140 :thinking:

I tried that, it works as expected, but sometimes the webcam did connect to the main router with a very weak signal.

Is there a way to force the webcam to connect to the MT3000 only ?

This is covered with:

I don't own a MT3000. And I am not at home to build a lab to test with similar devices. But your issue is the forwarding, not the firewall. So this whole topic is the wrong thread.

With the given keywords and a little forum search, I would trust Static route on Marble GL-B3000 (Beta Tester) - #2 by dxf and try in Lucy to set the 'Firewall (how ironic) - Zone Settings' on Name 'wan' at option 'Forward' to 'accept' ... And following hints in this post.
I am at home on Monday, but don't expect to have time for another lab to test the OpenWrt settings myself.

Buy a webcam that supports 802.11r, to choose the best AP in range without disconnecting.
Or set the BSSID (Mac) instead of the SSID, if it is supported in the Webcam ... I think this is really an issue of the webcam not of the network.

Yes, it is just my case :+1:
I applied the same configuration, but does not work: cannot ping the webcam.
I will try reset the router and start from a clean configuration.
Thanks for help, marco

No ping could have many reasons. Ping is the ICMP protocol, it is a good troubleshooting tool in fully controlled environments.
I'd recommend a try to reach the web frontend of the webcam. This is TCP. A little easier to use in our case.
Later we can take a look of the ICMP handling.

true :+1:
tried to access the foscam camera at 192.168.8.140:88 but no answer

In my GL-iNet pouch bag (greetings to @JoyceNI), I've still have my Slate AX and the place where I am uses a Fritz!Box... Maybe I can test tomorrow.
Now I need to make ready for a party. Don't support and drink!

1 Like